Virginia: Extent of Hacker Drug-Data Breach Not Known

RICHMOND, Va. – State officials still don't know the extent to which a hacker compromised Virginia's prescription drug monitoring system.

Health and Human Resources Secretary Marilyn Tavenner told the House Appropriations Committee Tuesday that authorities are still assessing what a hacker did on April 30 when millions of electronic prescription records were stolen.

The breach represents a serious security breakdown for the system set up to allow doctors and pharmacists statewide to monitor prescriptions for the most powerful painkillers and narcotics such as Oxycodone, Vicodin, morphine and Valium.

Some police agencies investigating prescription drug fraud, theft and abuse could also access the data.

The compromised data included patient names, birth dates, addresses, medications that were prescribed to them and when.

Aside from privacy concerns, thieves could use the data to pinpoint people who have those prescriptions in their homes.

"This is not ordinary information. This is actually very sensitive patient information," said Del. John O'Bannon, R-Henrico, a practicing neurologist and member of the committee.

The FBI and State Police have begun a high-priority effort to track down the hacker, who left a taunting note on the Department of Health Professions Web site demanding a $10 million ransom for the stolen data.

The attack put the system off-line until the investigations are complete or authorities determine that security concerns are addressed.

The FBI expects to take about a couple of weeks, Tavenner said. Until the system gets the green light, pharmacies and prescribing doctors can fax prescription information to the agency where staff will update the database.

"To quote the FBI person, it's like looking for a needle in a haystack, but they do have the ability to find the needle and they will," she told members of the state's budget-writing panel.

Del. S. Chris Jones, R-Suffolk, is a pharmacist who uses the system but opposed the legislation establishing it in 2002. He said he has always had reservations about having records so sensitive in a digital format and was aghast that an a malicious intruder accessed it.

"We shouldn't even be here much less having to deal with this," Jones said. "Was it a money issue? Was it just not given the attention it should have had? Why?"

Del. Joe May, an electrical engineer by profession and the House's resident expert on technology issues, wanted to know what security measures the hacker had to overcome to access the records.

"It doesn't sound like the proper firewalls, the proper backing up, the proper security measures were in place, ... and the question is why didn't we go ahead and have VITA do it," said May, R-Loudoun.

Paquette said DHP had one of the most secure systems in state government, and that firewall systems and backups were operational at the time of the attack.

Also, contrary to early reports, the hacker did not wipe out the Prescription Monitoring Program data, she said. It was all stored and undamaged.

"It's one of those incidents that happened, not because all of those things weren't there, they were there," Paquette said.